Your Smart City is going to need a Privacy Policy

As Smart City initiatives roll out across the world, we’re seeing the same kind of goldrush enthusiasm that accompanied the rise of social media adoption into people’s daily lives. Self-driving cars, heated sidewalks, sensors on every underground water meter and on lampposts collecting information from every passing vehicle and every pedestrian’s cell phone: it all sounds like the city of the future. In that rush, though, it would be a shame if the policymakers responsible for implementing Smart City technologies failed to learn the lessons still being processed in the wake of how social media eventually matured from the initial enthusiasm of its free-for-all, stay-in-touch-with-friends origins into the Big Brother, always-on, winner-take-all marketing bonanza that it eventually became. Did you ever get the feeling that you’ve been cheated? The same thing can’t happen with Smart Cities. Which is why, at the same time as most city administrations are hiring a Chief Technology Officer or an official responsible for Smart City operations, they should also hire a Chief Privacy Officer to oversee the whole thing. On this front Seattle, New York and Chicago are leading the way, demonstrating that the development of Smart City infrastructure can prioritize 1) Privacy 2) Security and 3) Ease of Use, in that order. This is going to have ramifications for any public-private partnerships that tend to drive Smart City initiatives. For cities to truly become “smart”, they need access to the constant stream of data that will be emitted by the countless sensors placed on lamposts, water mains, and every car driving down the road, to be able to realize the increase in quality of life promised by the efficiencies and improvements of Big Data. In Canada, cities like Surrey, Winnipeg, and Calgary with its nextCITY project, have been aggressively pushing into Smart City territory, while Montreal outright won the global Intelligent Community of 2016 award just over a month ago, a fact that will come as a surprise to anyone who has to drive a car there. Elevating Privacy as the first priority should not be seen as an unnecessary burden, but as a design challenge to create maximum value for citizens’ data.

“As cities latch on to smart city know-how in bigger numbers, it’s wise to remember that the driving force behind smart city endeavors should be the civic benefit they provide — not the profits they create for the Ciscos and IBMs that get billions from smart city contracts.” – Chicago Tribune editorial

Montreal recently launched a $100 million Smart City fund, aimed at helping start-ups develop next-generation tools for solving urban problems. And in April, Montreal partnered with Waze, a Google company, on a two-year pilot project for improving traffic outcomes through sharing publicly available traffic information. Montreal is also running a pilot project developed by traffic circulation technology company Orange Traffic, using 32 nondescript brown boxes which use Bluetooth to anonymously capture cell phone signals from passing motorists, letting the city know where, how far and how fast motorists are traveling. This is all very promising and exciting, and also lacks the priority that cities like Seattle, New York and Chicago have all decided to take seriously by placing the initial emphasis on privacy. Seattle is the North American pioneer in this regard, having effectively twinned a Privacy Initiative with the simultaneous implementation of Smart City proposals. Seattle launched its Privacy Initiative in November 2014, led by the Seattle Police Department and the city’s Department of Information Technology, aiming to define how the city collects, uses, and disposes of data in a responsible manner, balancing the needs of Smart City technologies to use large amounts of data with the privacy of citizens. This past May, Seattle appointed a Chief Privacy Officer, Susan Goodman, who would be responsible for collaborating with city departments, Seattle’s Community Technology Advisory Board, City Council, Seattle’s advocacy committee, citizens and other stakeholders to ensure that an emphasis on privacy enhances, rather than impedes, the effective implementation of Smart City technology by the city’s more than 750 city IT staff. The implementation of a Privacy Policy along with Smart City initiatives has to go deeper than boilerplate statements like, “Of course, we here at [insert name of company or city administration] take security and privacy concerns very seriously,” or the kind of thing that you get out of every technology company’s PR department. Just look at New York City’s “Guidelines for the Internet of Things”, which sets forth specific and detailed principles around 1. Privacy and Transparency; 2. Data management; 3. Infrastructure; 4. Security; and 5. Operations and Sustainability. “All personally identifiable information (PII) should be classified at a minimum as private,” says New York’s website. “All data that is classified as being confidential, or personally identifiable, should be protected from unauthorized use and disclosure.” Furthermore, “PII should by default be anonymized before being shared in any way that could make the information publicly searchable or discoverable.”

Elevating Privacy as the first priority should not be seen as an unnecessary burden, but as a design challenge to create maximum value for citizens’ data.

The process of anonymization is harder than it sounds, as has been pointed out by Privacy Analytics CEO Khaled El Emam, of Ottawa, who makes clear that “anyonymization” may not be going far enough, and that de-identification should be a greater priority. Chicago, just this summer, posted a draft version of its Array of Things Governance & Privacy Policies. As Chicago was ramping up its Smart City project, the Chicago Tribune published an editorial warning of the problematic nature of having all that data in one place and how it might be mishandled. “…as cities latch on to smart city know-how in bigger numbers, it’s wise to remember that the driving force behind smart city endeavors should be the civic benefit they provide — not the profits they create for the Ciscos and IBMs that get billions from smart city contracts,” writes The Tribune. Chicago, New York and Seattle now all publish, through a publicly accessible website, any information regarding Internet of Things or Smart City projects, outlining suggested changes to policy, as well as the locations of nodes for data collection, and the changing capacity of each city’s developing infrastructure. The buyer’s remorse that a lot of people feel about social media and some of the data overreach practiced by companies who have exhibited a cavalier attitude to handling personal data (think Uber’s “god view”), should serve as case studies for how city administrations should not handle privacy and security issues as they work to develop Smart City infrastructure. The potential for economic development if Smart City initiatives are done right is tremendous, for improving growth, for job creation, for education and for improving every citizen’s quality of life, but only if Privacy is regarded as the horse that pulls the cart forward.